topic Re: Authentication failed from AD in General Topics

Authentication failed from AD

Jafar_Hussain — Mon, 03 Aug 2020 12:19:29 GMT

Hello,

I have integrated the AD with Paloalto , it is working fine and i can see the IP user mapping is correct, once i tested authentication profile

I got the below error:-

Once i tested the authentication by local profile it is working fine.

Can anyone help me on this to reolve this issue.

Re: Authentication failed from AD

Chris_Johnston — Mon, 03 Aug 2020 19:49:09 GMT

IP to UserMapping is separate than LDAP.

Based off your error message in the first screenshot, 'Failed to create a session with LDAP server', I would point towards a network level issue from the firewall MGMT IP (assuming no custom service routing) and the LDAP controller. Could also be permissions on the service account used, but I would bet dollars to donuts it's network level. Also - TLS/389? I know it's possible, but...might need to swap to port 636

Local auth used in second is just authenticating against the local user database on the FW, no LDAP connection needed

Re: Authentication failed from AD

MP18 — Tue, 04 Aug 2020 00:12:54 GMT

@Jafar_Hussain

Is this new setup?

Please check below document it has step bu step info on troubleshooting

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClpoCAC

Also try below commands to do the TCPdump on the management port

Command to capture LDAP traffic if using management port

> tcpdump filter "port 389"

Command to view the pcap taken off the management port

> view-pcap mgmt-pcap mgmt.pcap

Regards

Re: Authentication failed from AD

Jafar_Hussain — Tue, 04 Aug 2020 19:05:20 GMT

@Chris_Johnston @MP18

Yes this is a new setup. i have gone through the documents and changed the service account with ssl/tls 636 port.

My LDAP, UID, DNS service route changed via data plane interface I have tried everything but still, the issue is the same.

Re: Authentication failed from AD

Chris_Johnston — Tue, 04 Aug 2020 19:26:43 GMT

Will need to check your authd.log if you've checked everything from above. I would also double check your firewall policy to ensure that dataplane source interface/zone is allowed to the other zone that 10.10.10.100 exists in.

I've also noticed theres more helpful information in group mapping failures versus auth attempts (lists bad password/fail to connect/etc). Do you have group mapping configured for the associated ldap profile? If you show the group mapping state, what is the output?

CLI

show user group-mapping state <name of group mapping profile referencing the LDAP Profile>

Future troubleshooting for auth specific, if group mapping is successful.

SSH to firewall, issue the following command

tail follow yes mp-log authd.log

while that is running, test authentication via another SSH window and paste results (sans business specific information that may be present)